diff --git a/core/docker-compose.yml b/core/docker-compose.yml index a400401..e8af0d7 100644 --- a/core/docker-compose.yml +++ b/core/docker-compose.yml @@ -122,6 +122,8 @@ services: - traefik.http.routers.authelia.tls.certresolver=myresolver - io.portainer.accesscontrol.public - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.lan.ddnsgeek.com/ + # Keep trustForwardHeader enabled so Authelia evaluates the real client IP from + # X-Forwarded-* headers that Traefik now accepts only from trustedIPs. - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups - traefik.http.middlewares.authelia.forwardauth.maxResponseBodySize=2097152 diff --git a/core/traefik/traefik.yml b/core/traefik/traefik.yml index 84403ac..2f0bbd1 100644 --- a/core/traefik/traefik.yml +++ b/core/traefik/traefik.yml @@ -24,7 +24,16 @@ entryPoints: web: address: ":80" forwardedHeaders: - insecure: true + # Trust forwarding headers only from upstream proxies/LBs under our control. + # Network assumptions for this stack: + # - 127.0.0.1/32: local host-side reverse-proxy hops + # - 192.168.2.0/24: LAN edge proxies + # - 172.21.0.0/16: pinned Docker subnet for the traefik bridge network + insecure: false + trustedIPs: + - "127.0.0.1/32" + - "192.168.2.0/24" + - "172.21.0.0/16" http: redirections: entryPoint: @@ -34,7 +43,11 @@ entryPoints: websecure: address: ":443" forwardedHeaders: - insecure: true + insecure: false + trustedIPs: + - "127.0.0.1/32" + - "192.168.2.0/24" + - "172.21.0.0/16" http: middlewares: - default-chain@file diff --git a/default-network.yml b/default-network.yml index 31e199d..8dacf6c 100644 --- a/default-network.yml +++ b/default-network.yml @@ -1,5 +1,7 @@ networks: traefik: driver: bridge + ipam: + config: + - subnet: 172.21.0.0/16 monitor: -